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WHAT IS CLAIMED IS: 

1. A method of email access control, comprising the steps 
of: 

ving a personalized access ticket containing a 
dentif ication and a recipient's identification in 


recei 
sender's i 


correspondence, which is presented by a sender who wishes 


to send an 
recipient 


email to a recipient so as to specify the 
as an intended destination of the email, at a 


between tl 
contj 
recipient 
respect t<b 
access tic 


10 secure confmun ication service for connecting communications 
e sender and the receiver; and 
oiling accesses between the sender and the 
by verifying an access right of the sender with 

the recipient according to the personalized 
ket at the secure communication service. 


2. The method of claim 1, wherein at the controlling step 
the secure communication service authenticates the 
personalised access ticket presented by the sender, and 
refuses a delivery of the email when the personalized 
access ticket presented by the sender has been altered. 


3. The mekhod of claim 2, wherein the personalized access 
ticket is skgned by a secret key of a secure processing 

25 device which issued the personalized access ticket, and at 
the controlling step the secure communication service 
authenticates the personalized access ticket by verifying a 
signature ofl the secure processing device in the 
personalized! access ticket- using a public key of the secure 

30 processing device. 


35 


4. The methtad of claim 1, wherein at the receiving step 
the secure communication service also receives the sender's 
identification presented by the sender along with the 
personalized d ccess ticket, and at the controlling step the 
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secure communication service checks whether the sender's 
identification presented by the sender is contained in the 
personalized access ticket presented by the sender, and 
refuses a delivery of the email when the sender's 
identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 


Si 


5. The method of claim 1, wherein the personalized access 
ticket klso contains a validity period indicating a period 

10 for whiqh the personalized access ticket is valid, and at 
the controlling step the secure communication service 
checks tie validity period contained in the personalized 
access ti\cket presented by the sender and refuses a 
delivery ©f the email when the personalized access ticket 

15 presented Vby the sender contains the validity period that 
has already been expired. 

6. The method of claim 5, wherein the validity period of 
the personalized access ticket is set by a trusted third 

20 party. 


m 
. 


7. The metllod of claim 1, further comprising the step of; 

issuing the personalized access ticket to the sender 
at a directory service for managing an identification of 

25 each registrant and a disclosed information of each 
registrant whiah has a lower secrecy than a personal 
information, in! a state which is accessible for search by 
unspecified many, in response to search conditions 
specified by thdt sender, by using an identification of. a 

30 registrant whose! disclosed information matches the search 
conditions as th<i recipient's identification and the 
sender's identification specified by the sender along with 
the search conditions. 


35 8 


The method of\ claim 1, further comprising the step of 
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registering in advance the personalized access ticket 
containing an identification of a specific user from which 
a delivery of emails to a specific registrant is to be 
refused ate the sender's identification and an 
identification of the specific registrant as the 
recipient '\s identification, at the secure communication 
service ; 

wherein the controlling step the secure communication 
service refuses a delivery of the email from the sender 
when the personalized access ticket presented by the sender 
is registered therein in advance at the registering step. 


9. The method of claim 8, further comprising the step of: 
deleting the personalized access ticket registered 
15 at the secure! communication service upon request from the 
specific registrant who registered the personalized access 
ticket at the Iregistering step. 


fU 


10. The method of claim 1, wherein the personalized access 
20 ticket also contains a transfer control flag indicating 
whether or not \the sender should be authenticated by the 
secure communication service, and at the controlling step, 
when the transfer control flag contained in the 
personalized access ticket indicates that the sender should 
25 be authenticated!, the secure communication service 

authenticates thte sender's identification presented by the 
sender and refuses a delivery of the email when an 
authentication of\ the sender's identification fails. 


30 11. The method of claim 10, wherein the authentication of 
the sender's identification is realized by a 
challenge/response procedure between the sender and the 
secure communi cat lion service. 


35 12. The method of claim 10, wherein the transfer control 
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flag of \the personalized access ticket is set by a trusted 
third painty 

13. The Apethod of claim 1, wherein the sender's 
5 identification and the recipient's identification in the 

personalized access ticket are given by real email 
addresses of the sender and the recipient. 

14. The merthod of claim 1, wherein the sender's 

10 identification and the recipient's identification in the 
personalized access ticket are given by anonymous 
identifications of the sender and the recipient, where an 
anonymous identification of each user contains at least one 
fragment of an official identification of each user by 

15 which each ud[er is uniquely identifiable by a certification 
authority . 

15. The method of claim 14, wherein the anonymous 
identification! of each user is an information containing 

20 the at least one fragment of the official identification of 
each user whicft is signed by the certification authority 
using a secret Ikey of the certification authority. 

16. The method\of claim 14, wherein the official 
25 identification dlf each user is a character string uniquely 

assigned to each! user by the certification authority and a 
public key of eadh user which are signed by a secret key of 
the certification! authority. 


30 


35 


17, 
of: 


The method of claim 14, further comprising the step 


probabilisti 
sender by reconst 
sender by judging 
identifications of 


[ally identifying an identity of the 
cting the official identification of the 
dentity of a plurality of anonymous 
the sender contained in a plurality of 
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personalized access tickets used by the sender 


18. Ttie method of claim 1, wherein an anonymous 
identification of each user that contains at least one 

5 fragment of an official identification of each user by 

which eafch user is uniquely identifiable by a certification 
authority and a link information of each anonymous 
identif idation by which each anonymous identification can 
be uniquely identified are defined, and the sender's 
10 identification and the recipient's identification in the 
personalised access ticket are given by a link information 
of the anoViymous identification of the sender and a link 
information of the anonymous identif ication of the 
recipient . 1 

15 1 

19. The merthod of claim 1, wherein the link information of 
each anonymks identification is an identifier uniquely 
assigned to leach anonymous identification by the 

certif icaticin authority. 

20 1 

20. The method of claim 18, further comprising the step 

of: 1 

probabilistically identifying an identity of the 
sender by reconstructing the official identification of the 
25 sender by judging identity of a plurality of anonymous 
identifications of the sender corresponding to the link 
information contained in a plurality of personalized access 
tickets used b# the sender. 

30 21. The method! of claim 1, wherein the personalized access 
ticket contains! a single sender's identification and a 
single recipient's identification in 1-to-l correspondence. 

22. The method lof claim 1, wherein the personalized access 
35 ticket contains W single sender's identification and a 
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plu 
corr 


r a 


lity of recipient's identifications in 1-to-N 
spondence, where N is an integer greater than 1 


23. \The method of claim 22, wherein one identification 
among\the single sender's identification and the plurality 
of recipient's identifications is a holder identification 
for identifying a holder of the personalized access ticket 
while bther identifications among the single sender's 
identification and the plurality of recipient's 
identifications are member identifications for identifying 
members! of a group to which the holder belongs. 

24. Thi method of claim 23, further comprising the step 
of: I 

issWing an identification of each user and an enabler 
of the identification of each user indicating a right to 
change the personalized access ticket containing the 
identification of each user as the holder identification, 
to each uteer at a certification authority, such that 
prescribed processing on the personalized access ticket can 
be carried out at a secure processing device only by a user 
who presented both the holder identification contained in 
the personalized access ticket and the enabler 
corresponding to the holder identification to the secure 
processing device. 

25. The method of claim 24, wherein the certification 
authority issues the enabler of the identification of each 
user as an iiiformation indicating that it is the enabler 
and the identification of each user itself which are signed 
by a secret kly of the certification authority. 

26. The methok of claim 24, wherein the prescribed 
processing includes a generation of a new personalized 
access ticket, la merging of a plurality of personalized 
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access tickets, a splitting- of one personalized access 
ticket into a plurality of personalized access tickets, a 
changing: of the holder of the personalized access ticket, 
changing of a validity period of the personalized access 
ticket, and a changing of a transfer control flag of the 
personalized access ticket. 


27. Ttlie method of claim 26, wherein a special 
identification and a special enabler corresponding to the 

10 special! identification which are known to all users are 
defined! such that the generation of a new personalized 
access ticket and the changing of the holder of the 
personalized access ticket can be carried out by the holder 
of the personalized access ticket by using the special 

15 identification and the special enabler without using an 
enabler df a member identification. 


28. The Ipethod of claim 27, wherein the special 
identification is defined to be capable of being used only 

20 as the hol\ier identification of the personalized access 
ticket . 

29. The method of claim 26, wherein a special 
identification which is known to all users is defined such 

25 that a read inly attribute can be set to the personalized 
access ticket! by using the special identification. 


30. The methdd of claim 1, wherein at the controlling 
step, when the! access right of the sender with respect to 
30 the recipient is verified according to the personalized 
access ticket, Ithe secure communication service takes out 
the recipient's! identification from the personalized access 
ticket by using! the sender's identification presented by 
the sender, concerts the mail by using a taken out 
35 recipient's identification into a format that can be 
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interpreted by a mail transfer function for actually 
carrying out a mail delivery processing, and gives the mail 
after Aonversion to the mail transfer function by attaching 
the personalized access ticket. 


?! 5 


31. A mpthod of email access control, comprising the steps 
of: 

defilnlng an official identification of each user by 
which each user is uniquely identifiable by a certification 
10 authority! and an anonymous identification of each user 
containing at least one fragment of the official 
identif icafcion ; and 

identifying each user by the anonymous identification 
of each user in communications for emails on a 
15 communicatipn network, 

32. The method of claim 31, wherein the anonymous 
identification of each user is an information containing 
the at leastlone fragment of the official identification of 

20 each user which is signed by the certification authority 
using a secrelt key of the certification authority. 

33. The method of claim 31, wherein the official 
identification! of each user is a character string uniquely 

25 assigned to eafch user by the ' certification authority and a 
public key of iach user which are signed by a secret key of 
the certification authority. 


30 


35 


34, 
of: 


The method \of claim 31, further comprising the steps 


receiving al personalized access ticket containing a 
sender's anonymous identification and a recipient's 
anonymous identification in correspondence, which is 
presented by a setader who wishes to send an email to a 
recipient so as tb specify the recipient as an intended 
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destination of the email, at a secure communication service 
for connecting communications between the sender and the 

receivers and 

controlling accesses between the sender and the 
recipient! by verifying an access right of the sender with 
respect tb the recipient according to the personalized 
access ti&ket at the secure communication service. 


10 


15 


35. 
of: 


The mtethod of claim 34, further comprising the step 


probabilistically identifying an identity of the 
sender at tftie secure communication service by 
reconstructing the official identification of the sender 
while judging identity of a plurality of anonymous 
identifications of the sender contained in a plurality of 
personalized access tickets used by the sender. 


M3 


36. The method of claim 31, wherein the defining step also 
defines a liAk information of each anonymous identification 

20 by which eacbl anonymous identification can be uniquely 

identified, ahd each anonymous identification also contains 
the link information of each anonymous identification. 

37. The methofl of claim 36, wherein the link information 
25 of each anonymdus identification is an identifier uniquely 

assigned to each anonymous identification by the 
certification authority. 


30 


35 


38 . 
of: 


The method bf claim 36, further comprising the steps 


receiving a (personalized access ticket containing a 
link information \of a sender's anonymous identification and 
a link informatioh of a recipient's anonymous 
identification inl correspondence , which is presented by a 
sender who wishes I to send an email to a recipient so as to 
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spefcify the recipient as an intended destination of the 
ema^l, at a secure communication service for connecting 
comMuni cat ions between the sender and the receiver; and 

controlling accesses between the sender and the 
recipient by verifying an access right of the sender with 
respect to the recipient according to the personalized 
acceste ticket at the secure communication service. 


10 


15 


39. 
of: 


ie method of claim 38, further comprising the step 


probabilistically identifying an identity of the 
sender toy reconstructing the official identification of the 
sender Ihile judging identity of a* plurality of anonymous 
identifications of the sender corresponding to the link 
information contained in a plurality of personalized access 
tickets rtsed by the sender. 


- r= 


40. A communication system realizing email access control, 
comprisinj 

20 a comWinication network to which a plurality of user 

terminals are connected; and 

a secure communication service device for connecting 
communicatibns between the sender and the receiver on the 
communication network, by receiving a personalized access 

25 ticket containing a sender's identification and a 

recipient's identification in correspondence, which is 
presented by \a sender who wishes to send an email to a 
recipient so ks to specify the recipient as an intended 
destination ol the email, and controlling accesses between 

30 the sender and\ the recipient by verifying an access right 
of the sender toith respect to the recipient according to 
the personalized access ticket. 


35 


41. The system\of claim 40, wherein the secure 
communication service device authenticates the personalized 
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accesls ticket presented by the sender, and refuses a 
delivery of the email when the personalized access ticket 
presented by the sender has been altered. 

42. Aie system of claim 41, further comprising: 
a\ secure processing device for issuing the 

personalized access ticket which is signed by a secret key 
of the Isecure processing device; 

whterein the secure communication service device 
authenticates the personalized access ticket by verifying a 
signature of the secure processing device in the 
personalized access ticket using a public key of the secure 
processing device. 

43. The system of claim 40, wherein the secure 
communication service device also receives the sender's 
identification presented by the sender along with the 
personalized access ticket, checks whether the sender's 
identification presented by the sender is contained in the 
personalized access ticket presented by the sender, and 
refuses a delivery of the email when the sender's 
identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 

44. The systdp of claim 40, wherein the personalized 
access ticket klso contains a validity period indicating a 
period for whidh the personalized access ticket is valid, 
and the secure Communication service device checks the 
validity period\contained in the personalized access ticket- 
presented by the\ sender and refuses a delivery of the email 
when the personalized access ticket presented by the sender 
contains the validity period that has already been expired. 

45. The system ot claim 44, further comprising: 

a trusted third party for setting the validity period 
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of the personalized access ticket 
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46. The sytetem of claim 40, further comprising: 
a directory service device for managing an 

5 identification of each registrant and and a disclosed 

information df each registrant which has a lower secrecy 
than a personal information, in a state which is accessible 
for search by Unspecified many, and issuing the 
personalized a&cess ticket to the sender in response to 
10 search conditions specified by the sender, by using an 

identification \f a registrant whose disclosed information 
matches the seaAch conditions as the recipient's 
identification akd the sender's identification specified by 
the sender along\with the search conditions 

15 

47. The system c\f claim 40 , wherein the secure 
communication serVice device registers in advance the 
personalized access ticket containing an identification of 
a specific user friom which a delivery of emails to a 

20 specific registrant is to be refused as the sender's 
identification andlan identification of the specific 
registrant as the recipient's identification, and refuses a 
delivery of the email from the sender when the personalized 
access ticket presented by the sender is registered therein 

25 in advance. 


48. The system of claim 47, wherein the secure 
communication servici device deletes the personalized 
access ticket registered therein upon request from the 
30 specific registrant w|io registered the personalized access 
ticket . 


49. The system of clAim 40, wherein the personalized 
access ticket also coAtains a transfer control flag 
35 indicating whether or not the sender should be 
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authenticated by the secure communication service, and when 
the transfer control flag contained in the personalized 
access tifcket indicates that the sender should be 
authenticated, the secure communication service device 
authenticates the sender's identification presented by the 
sender andl refuses a delivery of the email when an 
authentication of the sender's identification fails. 

50. The syfetem of claim 49, wherein the authentication of 
10 the sender's identification is realized by a 

challenge/reteponse procedure between the sender and the 
secure communication service device. 

51. The systtem of claim 49, further comprising a trusted 
15 third party fir setting the transfer control flag of the 

personalized access ticket. 


hi 


20 


52. The systeAa of claim 40, wherein the sender's 
identification land the recipient's identification in the 
personalized acteess ticket are given by real email 
addresses of the sender and the recipient. 


53. The system bf claim 40,: further comprising: 

a certification authority device for issuing an 
25 anonymous identification of each user which contains at 

least one fragment of an official identification of each 

user by which eacli user is uniquely identifiable by the 

certification authority device; 

wherein the sender's identification and the 
30 recipient's identification in the personalized access 

ticket are given by\ anonymous identifications of the sender 

and the recipient. 


54. The system of claim 53, wherein the anonymous 
35 identification of ea<Sh user is an information containing 
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the at llast one fragment of the official identification of 

each user! which is signed by the certification authority 

device using a secret key of the certification authority 
device . \ 

5 \ 

55. The system of claim 53, wherein the official 
identif icatVon of each user is a character string uniquely 
assigned toleach user by the certification authority device 
and a publid key of each user which are signed by a secret 

10 key of the certification authority device. 

56. The system of claim 53, wherein the secure 
communication! service device probabilistically identifies 
an identity of the sender by reconstructing the official 

15 identif icatioft of the sender while judging identity of a 
plurality of Anonymous identifications of the sender 
contained in a\ plurality of personalized access tickets 
used by the semder. 

20 57. The system! of claim 40, further comprising: 

a certification authority device for issuing an 

anonymous identification of each user which contains at 

least one fragmeht of an official identification of each 

user by which eaAh user is uniquely identifiable by the 
25 certification authority device and a link information of 

each anonymous identification by which each anonymous 

identification cart be uniquely identified; 

wherein the sfender's identification and the 

recipient's identification in the personalized access 
30 ticket are given by\ a link information of the anonymous 

identification of the sender and a link information of the 

anonymous identification of the recipient. 

58. The system of dlaim 57, wherein the link information 
35 of each anonymous identification is an identifier uniquely 
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assigned to aach anonymous identification by the 
certif ication\authority device. 

59. The system of claim 57, wherein the secure 
communication stervice device probabilistically identifies 
an identity of the sender by reconstructing the official 
identification oV the sender while judging identity of a 
plurality of anoiymous identifications of the sender 
corresponding to Vthe link information contained in a 
plurality of personalized access tickets used by the 
sender . 

60. The system of \ claim 40, wherein the personalized 
access ticket contains a single sender's identification and 
a single recipient'\s identification in 1-to-l 
correspondence . 

61. The system of claim 40, wherein the personalized 
access ticket contains a single sender's identification and 
a plurality of recipient's identifications in 1-to-N 
correspondence, where N is an integer greater than 1. 


62. The system of claim 61, wherein one identification 
among the single sender's identification and the plurality 
of recipient's identifications is a holder identification 
for identifying a holder of the personalized access ticket 
while other identifications among the single sender's 
identification and the \plurality of recipient's 
identifications are member identifications for identifying 
members of a group to wiich the holder belongs. 

63. The system of claim\62, further comprising: 

a certification authority device for issuing to each 
user an identification of\ each user and an enabler of the 
identification of each user indicating a right to change 
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the personalized access ticket containing the 
identification of each user as the holder identification; 
and 

a secAre processing device at which prescribed 
processing bn the personalized access ticket can be carried 
out only by\a user who presented both the holder 
identification contained in the personalized access ticket 
and the enabler corresponding to the holder identification 
to the securi processing device. 

64. The systfem of claim 63, wherein the certification 
authority device issues the enabler of the identification 
of each user ate an information indicating that it is the 
enabler and thk identification of each user itself which 
are signed by 4 secret key of the certification authority 
device . 


65. The system! of claim 63, wherein the prescribed 
processing incliides a generation of a new personalized 

20 access ticket, 1 merging of a plurality of personalized 
access tickets, -la splitting of one personalized access 
ticket into a plurality of personalized access tickets, a 
changing of the holder of the personalized access ticket, 
changing of a validity period of the personalized access 

25 ticket, and a changing of a transfer control flag of the 
personalized access ticket. 


66. The system of claim 65, wherein a special 
identification anil a special enabler corresponding to the 
30 special identification which are known to all users are 

the generation of a new personalized 
the changing of the holder of the 
s ticket can, be carried out by the holder 
=d access ticket by using the special 


defined such that 
access ticket and 
personalized acces 
of the personalize 


35 identification and the special enabler without using an 
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enabler of a member identification. 

67. The system lof claim 66, wherein the special 
identification lis defined to be capable of being used only 
as the holder identification of the personalized access 
ticket . 


10 


68. The system bf claim 65, wherein a special 
identification which is known to all users is defined such 
that a read only attribute can be set to the personalized 
access ticket by using the special identification. 


£3 


20 


69. The system 
of the sender wii: 
according to the 


converts the mail 
identification in 


f claim 40, wherein when the access right 
h respect to the recipient is verified 
15 according to the personalized access ticket, the secure 
communication service device takes out the recipient's 
identification from the personalized access ticket by using 
the sender's iden|tif ication presented by the sender, 

by using a taken out recipient's 
o a format that can be interpreted by a 
mail transfer function for actually carrying out a mail 
delivery processing, and gives the mail after conversion to 
the mail transfer If unction by attaching the personalized 
access ticket. I 

25 I 

70. A communicatibn system realizing email access control, 

comprising: I 

a certification authority device for defining an 
official identification of each user by which each user is 
30 uniquely identifiable by the certification authority 

device, and an anorlymous identification of each user which 
contains at least dne fragment of the official 
identification; anc 

a communication network on which each user is 
35 identified by the anonymous identification of each user in 


v 
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communicaVions for emails on . the communication network. 

71. The System of claim 70, wherein the anonymous 
identification of each user is an information containing 
the at lealt one fragment of the official identification of 
each user Which is signed by the certification authority 
device usirjg a secret key of the certification authority 
device . 


10 72. The syitem of claim 70, wherein the official 

identification of each user is a character string uniquely 
assigned to leach user by the certification authority device 
and a public! key of each user which are signed by a secret 
key of the certification authority device. 

15 

73. The system of claim 70 , further comprising: 
a secure! communication service device for connecting 

communications, between the sender and the receiver on the 
communication hetwork, by receiving a personalized access 

20 ticket containing a sender's anonymous identification and a 
recipient's andnymous identification in correspondence, 
which is presented by a sender who wishes to send an email 
to a recipient \o as to specify the recipient as an 
intended destination of the email, and controlling accesses 

25 between the sendfer and the recipient by verifying an access 
right of the sender with respect to the recipient according 
to the personalised access ticket. 

74. The system of claim 73, wherein the secure 


30 communication ser 
an identity of the 
identification of 


ice device probabilistically identifies 

sender by reconstructing the official 
the sender while judging identity of a 
plurality of anonynous identifications of the sender 
contained in a plurality of personalized access tickets 
35 used by the sender 
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75- The\ system of claim 70, wherein the certification 
authority device also defines a link information of each 
anonymous! identification by which each anonymous 
5 identification can be uniquely identified, and each 

anonymous Identification also contains the link information 
of each anonymous identification. 

76. The syktem of claim 75, wherein the link information 
10 of each anoAymous identification is an identifier uniquely 
assigned to leach anonymous identification by the 
certification authority device. 


15 


20 


25 


30 


77. The system of claim 75, further comprising: 

a secure! communication service device for connecting 
communication^ between the sender and the receiver on the 
communication! network, by receiving a personalized access 
ticket containing a link information of a sender's 
anonymous identification and a link information of a 
recipient's anbnymous identification in correspondence, 
which is presented by a sender who wishes to send an email 
to a recipient so as to specify the recipient as an 
intended destination of the email, and controlling accesses 
between the sender and the recipient by verifying an access 
right of the seiider with respect to the recipient according 
to the personalized access ticket. 

78. The system of claim 77, wherein the secure 
communication seriice device probabilistically identifies 
an identity of thd sender by reconstructing the official 
identification of the sender while judging identity of a 
plurality of link informations of anonymous identifications 
of the sender contained in a plurality of personalized 
access tickets usedlby the sender. 


35 
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79. A stecure communication service device for use in a 
communication system realizing email access control, 
comprisim 

a computer hardware; and 
5 a coniputer software for causing the computer hardware 

to connect! communications between the sender and the 
receiver, by receiving a personalized access ticket 
containing W sender's identification and a recipient's 
identification in correspondence, which is presented by a 
10 sender who wishes to send an email to a recipient so as to 
specify the \recipient as an intended destination of the 
email, and controlling accesses between the sender and the 
q recipient by\verifying an access right of the sender with 

%3 respect to the recipient according to the personalized 

sj 15 access ticket! 

P 80. The secure communication service device of claim 79, 

M wherein the computer software causes the computer hardware 

f 3 to authenticate the personalized access ticket presented by 

the sender, ank refuse a delivery of the email when the 
personalized aqcess ticket presented by the sender has been 
altered . 

81. The secure tcommunication service device of claim 80, 
wherein the personalized access ticket is signed by a 
secret key of a secure processing device which issued the 
personalized accels ticket, and the computer software 
causes the computer hardware to authenticate the 
personalized access ticket by verifying a signature of the 
secure processing {device in the personalized access ticket 
using a public key* of the secure processing device. 

82. The secure communication service device of claim 79, 
wherein the computer software causes the computer hardware 
to also receive the sender's identification presented 


20 


25 


30 


35 
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by the sender along with the personalized access ticket, 
check whether the sender's identification presented by the 
sender is Icontained in the personalized access ticket 
presented by the sender, and refuse a delivery of the email 
5 when the sender's identification presented by the sender is 
not contained in the personalized access ticket presented 
by the sender. 


83. The secure communication service device of claim 79, 
10 wherein the 1 per sonalized access ticket also contains a 
validity periiod indicating a period for which the 
personalized! access ticket is valid, and the computer 
software caukes the computer hardware to check the validity 
period contained in the personalized access ticket 
15 presented by Ithe sender and refuse a delivery of the email 
when the per slonalized access ticket presented by the sender 
contains the Validity period that has already been expired. 


20 


25 


30 


84. The secutie communication service device of claim 79, 
wherein the cdmputer software causes the computer hardware 
to register inl advance the personalized access ticket 
containing an identification of a specific user from which 
a delivery of Imails to a specific registrant is to be 
refused as the bender's identification and an 
identification bf the specific registrant as the 
recipient's ideitif ication , at the secure communication 


service device, 
sender when the 
sender is registle 
device in advanc 


and refuse a delivery of the email from the 
personalized access ticket presented by the 
red at the secure communication service 


85. The secure 
wherein the comp 
to delete the pe 
35 secure communica 


ommunication service device of claim 84, 
iter software causes the computer hardware 
sonalized access ticket registered at the 
ion service device upon request from the 
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ticket 


c registrant who registered the personalized access 
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86. The! secure communication service device of claim 79, 
wherein lihe personalized access ticket also contains a 
transfer ^control flag indicating whether or not the sender 
should bel authenticated by the secure communication 
service device, and when the transfer control flag 
contained \in the personalized access ticket indicates that 

10 the sender! should be authenticated, the computer software 
causes the Icomputer hardware to authenticate the sender's 
identif icatii on presented by the sender and refuse a 
delivery of 1 the email when an authentication of the 
sender's identification fails. 

15 

87. The secure communication service device of claim 86, 
wherein the Computer software causes the computer hardware 
to realize t&e authentication of the sender's 

identif icatiqn by a challenge/response procedure between 
20 the sender anp the secure communication service device. 


Vnrf 


88. The secuqe communication service device of claim 79, 
wherein the sender's identification and the recipient's 
identif ication\ in the personalized access ticket are given 
25 by anonymous identif ications of the sender and the 

recipient, wherie an anonymous identification of each user 
contains at least one fragment of an official 

:>f each user by which each user is uniquely 
a certification authority, and the computer 


identification 
identifiable by 


30 software also causes the computer hardware to 

probabilistically identify an identity of the sender by 
reconstructing the official identification of the sender by 


judging identity 
identifications 


of a plurality of anonymous 
of the sender contained in a plurality of 


35 personalized access tickets used by the sender. 
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89. The sedure communication service device of claim 79, 
wherein an aponymous identification of each user that 
contains at least one fragment of an official 
identification of each user by which each user is uniquely 
identifiable \by a certification authority and a link 
information of each anonymous identification by which each 
anonymous ideitif ication can.be uniquely identified are 
defined, the gender's identification and the recipient's 
10 identification! in the personalized access ticket are given 
by a link information of the anonymous identification of 
the sender andl a link information of the anonymous 
identif ication 1 of the recipient, and the computer software 
also causes th4 computer hardware to probabilistically 
15 identify an identity of the sender by reconstructing the 
official identilf ication of the sender by judging identity 
of a plurality [of anonymous identifications of the sender 
corresponding tb the link information contained in a 
plurality of personalized access tickets used by the 
20 sender 


90. The secure communication service device of claim 79, 
wherein when the! access right of the sender with respect to 
the recipient islverified according to the personalized 
25 access ticket, tlie computer software causes the computer 
hardware to take put the recipient's identification from 
the personalized access ticket by using the sender's 
identification presented by the sender, convert the mail by 
using a taken out {recipient ' s identification into "a format 
30 that can be interpreted by a mail transfer function for 

actually carrying put a mail delivery processing, and give 
the mail after conversion to the mail transfer function by 
attaching the personalized access ticket. 


35 91 


A secure proce 


ssing device for use in a communication 
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system realizing email access control, comprising: 
a computer hardware; and 

a computer software for causing the computer hardware 
to receive a request for a personalized access ticket from 
a user, arid issue a personalized access ticket containing a 
sender's ipentif icat ion and a recipient's identification in 
correspondence, which is signed by a secret key of the 
secure processing device. 


10 92. A directory service device for use in a communication 
system realizing email access control, comprising: 
a computer hardware; and 

a computer software for .causing the computer hardware 
to manage anl identification of each registrant and a 

15 disclosed information of each registrant which has a lower 
secrecy than! a personal information, in a state which is 
accessible fir search by unspecified many, and issue a 
personalized (access ticket containing a sender's 
identification and a recipient's identification in 

20 correspondence , to the sender in response to search 
conditions specified by the sender, by using an 
identif icatiom of a registrant whose disclosed information 
matches the search conditions as the recipient's 
identification and the sender's identification specified by 

25 the sender alohg with the search conditions. 


30 


93. A certification authority device for use in a 
communication system realizing email access control, 


comprising: 

a computer 
a computer 
to issue to eac 
user by which e 


35 identification 


hardware; and 

software for causing the computer hardware 

user an official identification of each 
ch user is uniquely identifiable by the 


certification authority device, and an anonymous 


f each user which contains at least one 
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fragment of the official identification, 
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94. A certification authority device for use in a 
communication system realizing email access control, 
comprising: 

a computer hardware; and 

a computer software for causing the computer hardware 
to issue to each user an identification of each user and an 
enabler of the identification of each user indicating a 
right to change any personalized access ticket that 
contains the identification of each user as a holder 


identification , wh 
generally contains 
plurality of recipi 


re the persnalized access ticket 

a sender's identification and a 

ent f s identifications in correspondence, 


15 and one of the sender's identification and the recipient's 


identifications is 


95, 


A secure proce 


a holder identification. 


ssing device for use in a communication 


system realizing email access control, comprising: 
a computer hardware; and 

a computer software for causing the computer hardware 
to receive from a ujser a request for prescribed processing 
on a personalized abcess ticket containing a sender's 
identification and i plurality of recipient's 

correspondence, where one of the 
:ion and the recipient's identifications 
Lcation, and execute the prescribed 
srsonalized access ticket when the user 
xolder identification contained in the 
ticket and an enabler corresponding to 
cation which indicates a right to change 
cess ticket containing the 


identifications in 
sender ' s i dent if ica 
is a holder identif 
processing on the p 
presented both the 
personalized access 
the holder identif} 
the personalized a 


identification of the user as the holder identification, 


35 96. A computer us 


ible medium having computer readable 
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program code means embodied therein for causing a computer 
to function as a secure communication service device for 
use in a comniunication system realizing email access 
control, the computer readable program code means includes: 
first computer readable program code means for causing 
said computerlto receive a personalized access ticket 
containing a sender's identification and a recipient's 
identification in correspondence, which is presented by a 
sender who wishes to send an email to a recipient so as to 
specify the recipient as an intended destination of the 
email; and 

second computer readable program code means for 
causing said computer to control accesses between the 


sender and the r 
the sender with 


ecipient by verifying an access right of 
respect to the recipient according to the 


personalized access ticket, so as to connect communications 


between the send 
network . 


er and the receiver on the communication 


97. The compute 
computer readabl 


r usable medium of claim 96, the second 
e program code means causes said computer 
to authenticate tlhe personalized access ticket presented by 
the sender, and refuse a delivery of the email when the 
personalized access ticket presented by the sender has been 
altered . 


98. The computer 
personalized acces 
secure processing 
access ticket, and 
code means causes 
personalized acces 
secure processing 
using a public key 


35 


isable medium of claim 97, wherein the 

ticket is signed by a secret key of a 
device which issued the personalized 

the second computer readable program 
iaid computer to authenticate the 
s ticket by verifying a signature of the 
qevice in the personalized access ticket 
of the secure processing device. 
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99. The computer usable medium of claim 96, wherein the 
first computer readable program code means causes said 
computer to aVLso receive the sender's identification 
presented by the sender along: with the personalized access 
ticket, and the second computer readable program code means 
causes said computer to check whether the sender's 
identif icationtpresented by the sender is contained in the 
personalized aqcess ticket presented by the sender and 
refuse a delivery of the email when the sender's 
identification presented by the sender is not contained in 
the personalized access ticket presented by the sender. 


100. The computer usable medium of ? claim 96, wherein the 
personalized access ticket also contains a validity period 

15 indicating a perilod for which the personalized access 

ticket is valid, and the second computer readable program 
code means causes I said computer to check the validity 
period contained iln the personalized access ticket 
presented by the slender and refuse a delivery of the email 

20 when the personalised access ticket presented by the sender 
contains the validity period that has already been expired. 


25 


30 
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101. The computer uiable medium of claim 96, wherein the 
second computer readable program code means causes said 
computer to register! in advance the personalized access 
ticket containing anl identif ication of a specific user from 
which a delivery of emails to a specific registrant is to 
be refused as the sender's identification and an 
identification of the: specific registrant as the 
recipient's identification, at the secure communication 
service device, and refuse a delivery of the email from the 
sender when the personalized access ticket presented by the 
sender is registered at the secure communication service 
device in advance. 
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102. The computer usable medium of claim 101, wherein the 
second computer readable program code means causes said 
computer to delete the personalized access ticket 
registered at the secure communication service device upon 

5 request from the specific registrant who registered the 
personalized access ticket. 

103. The computer usable medium of claim 96, wherein the 
personalized alccess ticket also contains a transfer control 

10 flag indicating whether or not the sender should be 

authenticated by the secure communication service device, 
and when the transfer control flag contained in the 
personalized aqcess ticket indicates that the sender should 
be authenticated, the second computer readable program code 

15 means causes salid computer to authenticate the sender's 
identification presented by the sender and refuse a 
delivery of the! email when an authentication of the 
sender's identification fails. 


20 


25 
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35 


104. The computet usable medium of claim 103, wherein the 
second computer readable program code means causes said 
computer to realize the authentication of the sender's 
identification bM a challenge/response procedure between 
the sender and the secure communication service device. 

105. The computer lusable medium of claim 96, wherein the 
sender's identification and the recipient's identification 


in the personalize 
identifications of 
anonymous identif i 
fragment of an off 
which each user is 
authority, and the 
means also causes 
identify an identi 


access ticket are given by anonymous 
the sender and the recipient, where an 
Ration of each user contains at least one 
cial identification of each user by 
uniquely identifiable by a certification 
second computer readable program code 
daid computer to probabilistically 
y of the sender by reconstructing the 
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official id 
of a plural 
contained iiji 
used by the 


ntification of the sender by judging identity 
ty of anonymous identifications of the sender 

a plurality of personalized access tickets 
sender . 


106. The computer usable medium of claim 96, wherein an 
anonymous identification of each user that contains at 
least one fragment of an official identification of each 
user by whicti each user is uniquely identifiable by a 
certification! authority and a link information of each 
anonymous identification by which each anonymous 
identification can be uniquely identified are defined, the 
sender's identification and the recipient's identification 
in the personalized access ticket are given by a link 
information of jthe anonymous identification of the sender 
and a link information of the anonymous identification of 
the recipient, and the second computer readable program 
code means also! causes said computer to probabilistically 
identify an identity of the sender by reconstructing the 
official identification of the sender by judging identity 
of a plurality of anonymous identifications of the sender 

the link information contained in a 
plurality of personalized access tickets used by the 
sender . 


107. The computet usable medium of claim 96, wherein when 
the access right lof the sender with respect to the 
recipient is verllfied according to the personalized access 
ticket, the seconld computer readable program code means 
causes said computer to take out the recipient's 
identification from the personalized access ticket by using 
the sender's identification presented by the sender, 


convert the mail 


y using a taken out recipient's 


identification into a format that can be interpreted by a 


35 mail transfer func 


tion for actually carrying out a mail 
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delivery processing, and give the mail after conversion to 

the mail transfer function by attaching the personalized 
access tickc 

5 108. A computer usable medium having computer readable 


10 


15 


program code 
to function 
communi cat i oh 
computer rea 


means embodied therein for causing a computer 
jas a secure processing device for use in a 

system realizing email access control, the 
liable program code means includes: 


said compute 
access ticke 


first computer readable - program code means for causing 


to receive a request for a personalized 
from a user; and 
second cjpmputer readable program code means for 
causing said computer to issue the personalized access 
ticket containing a sender ' s ; identification and a 
recipient's identification in correspondence, which is 
signed by a secret key of the secure processing device. 


20 


25 


30 


109. A computer usable medium having computer readable 
program code means embodied therein for causing a computer 
to function asja directory service devicer for use in a 
communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 
said computer to manage an identification of each 
registrant and a! disclosed information of each registrant 
which has a lower secrecy than a personal information, in a 
state which is accessible for search by unspecified many, 
and 

second computer readable program code means for 


causing said comp 


containing a sencer's identification and a recipient's 


identification ir 
to search conditi 


uter to issue a personalized access ticket 


correspondence, to the sender in response 
ons specified by the sender, by using an 


35 identification of \ a registrant whose disclosed information 
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matches theVsearch conditions as the recipient's 
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identif icati 
the sender 


on and the sender's identification specified by 
long with the search conditions. 


110. A computer usable medium having computer readable 
program code means embodied therein for causing a computer 
to function is a certification authority device for use in 
a communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 
said computer! to issue to each user an official 
identification of each user by which each user is uniquely 
identifiable fyy the certification authority device; and 


second c< 
causing said c 
identification 


mputer readable program code means for 
omputer to issue to each user an anonymous 
of each user which contains at least one 


fragment of the official identification. 

111. A computer usable medium having computer readable 
program code means embodied therein for causing a computer 
to function as la certification authority device for use in 
a communication! system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 
said computer tc\ issue to each user an identification of 
each user ; and 

second computer readable program code means for 
causing said computer to issue to each user an enabler of 
the identif icaticin of each user indicating a right to 
change any personalized access ticket that contains the 
identification of each user as a holder identification, 
where the persnallzed access ticket generally contains a 


sender's identif i 
identifications i 


nation and a plurality of recipient's 

i correspondence, and one of the sender's 


35 identification anffl the recipient's identifications is a 
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holder identification , 


112. A compter usable medium having computer readable 
program code means embodied therein for causing a computer 
5 to function as a secure processing device for use in a 
communication system realizing email access control, the 
computer readable program code means includes: 

first computer readable program code means for causing 
said computer Ito receive from a user a request for 

10 prescribed processing on a personalized access ticket 
containing a sender's identification and a plurality of 
recipient's identifications in correspondence, where one of 
the sender's identification and the recipient's 
identifications! is a holder identification; and 

15 second computer readable program code means for 

causing said coniputer to execute the prescribed processing 
on the personalised access ticket when the user presented 
both the holder identification contained in the 
personalized access ticket and an enabler corresponding to 

20 the holder identification which indicates a right to change 
the personalized access ticket containing the 
identification of \ the user as the holder identification. 
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